PCI DSS v4.0 is coming, here’s how to prepare to comply

Abraham Smith


Paul Kirwan

Through

PCI DSS v4.0 will come into force in the first quarter of 2024 and will replace the current PCI standard v3.2.1, which has regulated the security of credit card transactions since 2018.

The new version of PCI DSS was published in March 2022. Both versions will co-exist until v3.2.1 is officially retired in favor of v4.0 on March 31, 2024. However, credit card companies and providers using credit card transactions have until March 2025 to demonstrate compliance with v4.0. This transition period provides organizations with the time they need to update their systems, policies, and procedures to achieve compliance with the updated standard.

What’s new in v4.0?

The new PCI standard is expected to include:

  • increased security, including enhanced multi-factor authentication, updates to password specifications, updated requirements to combat phishing and other security breaches;
  • updated guidance on implementing security controls, procedures for identifying areas for improvement, providing auditors and other program assessors with more detail, and updated specifications of roles and responsibilities for each updated requirement;
  • Support for the different ways organizations implement security, including establishing risk analysis practices that help improve overall security activities, support for different types of accounts – e.g.
  • Compliance Activities Improvements, which address the various activities an organization can undertake to demonstrate compliance, such as: B. completing a compliance report, self-assessment questionnaire and/or attestation of compliance;
  • increased focus on cybersecurity activities, including increased attention to encryption and network security to protect customer credit card information in transit; and
  • increased frequency of security controls testing to ensure organizations establish a program to regularly test their security controls to ensure they meet v4.0 requirements.

The following are the 12 PCI DSS criteria:

  1. installing and maintaining network security controls;
  2. Apply secure configurations to all system components;
  3. protection of stored account data;
  4. encrypt cardholder data;
  5. protection of systems against malware;
  6. development and maintenance of security systems and applications;
  7. Limiting access to cardholder data on a need-to-know basis;
  8. Using unique identifiers for all users with network and system access;
  9. restricting physical access to cardholder data;
  10. logging and monitoring access to networks and cardholder data;
  11. regularly testing systems and resources for security; and
  12. Development, implementation and maintenance of information security policies and programs.

Organizations that adhere to the criteria will find it easier to comply with PCI DSS v4.0 requirements.

Who needs to implement version 4.0?

Any company, merchant, or organization that handles cardholder data must comply with PCI DSS requirements. The standard also regulates data processing by major credit card companies, including Visa and Mastercard.

The specification divides organizations into the following four categories:

  1. level 1 Organizations completing 6 million or more transactions annually across all transaction categories.
  2. level 2 Organizations completing between 1 million and 6 million transactions annually across all categories.
  3. Level 3. Organizations processing 20,000 to 1 million transactions annually across all categories.
  4. level 4 Organizations that process fewer than 20,000 electronic transactions annually and other businesses that complete fewer than 1 million transactions in all categories each year.

How to prepare for v4.0 compliance

While PCI DSS v4.0 is not yet mandated, now is the time to begin the work required to demonstrate compliance with the new standard.

Here are 10 steps companies should take:

  1. Read and understand the updated requirements in version 4.0. Identify and understand criteria essential to achieving compliance.
  2. Compare existing policies, procedures, and other security-related activities with the requirements of the new version.
  3. Establish a team tasked with updating security activities, specifically policies, procedures, technology, and human expertise required for version 4.0 compliance.
  4. Remove all unnecessary data from the affected systems—particularly data deemed sensitive—to prevent data corruption or theft.
  5. Ensure relevant systems are protected from unauthorized access by threat actors.
  6. Examine the network perimeter to identify threats and vulnerabilities that could lead to security breaches.
  7. Maintain vigilance over systems by continuously monitoring and documenting security activities.
  8. Check logs for security levels of cardholder data to ensure its security and availability.
  9. Ensure all data security activities are regularly tested and updated as necessary. Findings should be documented and follow-up reports used to demonstrate performance during audits.
  10. Regularly update senior management on the work the security team is doing to ensure compliance.

Once PCI DSS v4.0 is implemented, security measures will be further strengthened to protect cardholder data from a variety of potential risks and threats. Find more information about the new standard from the payment card industry and from security organizations that offer guidance and technology aimed at supporting the transition to the new standard.

This was last published in Aug 2022

Dive deeper into compliance

Leave a Reply

Your email address will not be published. Required fields are marked *